Has Siri left your iPhone 4S unlocked?

Apple’s new “Siri” feature, the voice-activated personal assistant built into the iPhone 4S, leaves owners’ spanking new smartphones partially unguarded.

Those of us who work in the security arena have often banged on about the importance of securing your smartphone with a password or passcode to prevent unauthorised access.

Most mobile phone manufacturers have recognised that as so many people use their smartphones to manage their their diaries, their private communications, and their social lives, it’s good to have some form of security.

Which leaves Apple with some egg on its face regarding Siri.

Even if an iPhone 4S is locked with a passcode, a complete stranger can come up to your smartphone, press the button and give Siri a spoken command.

I borrowed a passcode-locked iPhone 4S from a colleague here at Sophos and, with his permission, was able to write an email, and send a text message. If I had wanted to I could have meddled with his calendar appointments too.

All without having to enter the passcode. I’m sure you can imagine some of the ways this could potentially be abused.

Fortunately there’s an easy way for security-conscious users to disable Siri when their phone is locked.

Enter “Settings/General/Passcode Lock” on your iPhone 4S, and make sure that the “Siri” option is set to “Off”.

That way Siri cannot be used when the smartphone is locked with a passcode. Which seems the sensible option to me in most circumstances.

(In the case of the colleague’s iPhone 4S that I borrowed, I might also suggest that he switch from having a “simple” numeric passcode to a more complex version too).

What’s disappointing to me though is that Apple had a clear choice here.

They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system.

It’s not as though Siri impressed me enormously anyway during my brief play with it. 30% of the time it misinterpreted what I was trying to say.

Mobile security is a serious subject of course, and Sophos provides a free Mobile Security Toolkit to help you raise awareness about mobile security risks amongst your staff.

Check out the following promo video Sophos made which emphasises the importance of having a passcode on your smartphone: